Home > Dedicated Server > How to disable the support for SSLv2 LOW encryption ciphers?

How to disable the support for SSLv2 LOW encryption ciphers?

October 23rd, 2008 Leave a comment Go to comments

Secure Sockets Layer (SSL) is the standard security technology for creating an encrypted link between a web server and a browser. This link ensures that all data passed between web server and browser remains private and secure. SSLv2, SSLv3, and TLS (1.0) all protocol provide for a secure channel between clients and servers .

There are known flaws in the SSLv2 protocol. A man-in-the-middle attacker can force the communication to a less secure level and then attempt to break the weak encryption. The attacker can also truncate encrypted messages.

These flaws have been fixed in SSLv3 (or TLSv1). Most servers (including all popular web-servers, mail-servers, etc.) and clients (including Web-clients like IE, Netscape Navigator and Mozilla and mail clients) support both SSLv2 and SSLv3. However, SSLv2 is enabled by default for backward compatibility.

You can follow the following steps to disable the LOW encryption ciphers like SSLV2 on  Apache , IIS and Tomcat web server and allow the secure channel connection via SSLv3 only.

  • Apache
    Typically, for Apache/mod_ssl, httpd.conf or ssl.conf should have the following lines:

    SSLProtocol -ALL +SSLv3 +TLSv1
    SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

For Apache/apache_ssl include the following line in the configuration file (httpsd.conf):

SSLRequireCipher ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

  • Tomcat
    sslProtocol=”SSLv3″
    ciphers=”SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA”

  • IIS
    • Click Start, click Run, type regedt32 or type regedit, and then click OK.
    • In Registry Editor, locate the following registry key:HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Server .
    • On the Edit menu, click Add Value.
    • In the Data Type list, click DWORD. 5.In the Value Name box, type Enabled, and then click OK.
      Note If this value is present, double-click the value to edit its current value.
    • Type 00000000 in Binary Editor to set the value of the new key equal to “0″.
    • Click OK. Restart the computer.

More details please refer Microsoft article 187498 and 245030

How you can verify it ?

SSH to your server and type the following commands

1. root@ [~]# openssl s_client -ssl2 -connect localhost:443

If everything is fine you should receive something like this,

1. root@ [~]# openssl s_client -ssl2 -connect localhost:443
2. CONNECTED(00000003)
3. write:errno=104

Categories: Dedicated Server Tags: , , , , , , , , , , , ,
  1. xenner
    April 26th, 2009 at 13:46 | #1
    Reply | Quote

    I´m using this discryptor.net encryption tool. It is userfriendly, really fast and with explorer integration.

  2. Seth
    December 10th, 2009 at 09:32 | #2
    Reply | Quote

    How to use the command SSLRequireCipher in apache v2.2?

  3. physician assistant
    May 3rd, 2010 at 05:31 | #3
    Reply | Quote

    this post is very usefull thx!

  4. JohnT
    June 21st, 2010 at 19:43 | #4
    Reply | Quote

    I am finding this info some sort of useful. I wish the author would give a more specific location of each file and what changes needs to make if you want to go from SSL 2.0 to SSL 3.0.

  5. Rapidshare Search
    January 26th, 2011 at 16:50 | #5
    Reply | Quote

    Good blog post. I like your point of view and i want to thank you for interesting and helpful information. Thank you!
    http://crazyupload.net/

  6. Shady Demian
    March 14th, 2011 at 09:14 | #6
    Reply | Quote

    Can anybody tell what will be the result of openssl s_client -ssl2 -connect localhost:443
    command if ssl v2 is allowed?

  7. Don
    March 23rd, 2011 at 03:32 | #7
    Reply | Quote

    to meet FIPS 140-2 compliant. Cipher RC4-MD5 is Non-Compliant. And, all of Cipher

    TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
    TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
    TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
    TLS_RSA_EXPORT_WITH_RC4_40_MD5
    TLS_RSA_WITH_DES_CBC_SHA
    TLS_RSA_WITH_RC4_128_MD5
    TLS_RSA_WITH_RC4_128_SHA

    are Non-compliant. How to disable all of those Non-Complaint to meet FIPS 140-2 compliant.

    Thanks,
    Don

  8. thiet ke website
    June 16th, 2011 at 05:51 | #8
    Reply | Quote

    PLease try:
    These instructions detail how to Disable SSL 2.0 (SSLv2) in Apache so that only SSL 3.0 (SSLv3) and TLS 1.0 are accepted for SSL connections.

    Login to the server via SSH
    Backup the existing apache conf file
    cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.bak
    Comment out the existing references to SSLCipherSuite in the httpd.conf
    sed -i ‘s/SSLCipherSuite/#SSLCipherSuite/g’ /etc/httpd/conf/httpd.conf
    Add the following two lines to the httpd.conf
    SSLProtocol all -SSLv2
    SSLCipherSuite ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:+SSLv3:+TLSv1:-SSLv2:+EXP:+Enull
    Check the Apache configuration
    /etc/init.d/httpd configtest
    If the config test passes; restart apache.
    /etc/init.d/httpd restart

  9. Chelotobar
    June 20th, 2011 at 23:24 | #9
    Reply | Quote

    Friends!
    I need to disable the support for SSLv2 on Tomcat. In the post you put

    Tomcat
    sslProtocol=”SSLv3?
    ciphers=”SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_DHE_

    But, I dont know where I have to put this line. Could you tell me please!!!

    Thanks!

  1. March 29th, 2010 at 03:03 | #1
    schannel